JS: Migrate InsecureDownload

asgerf · asgerf · commit bcc1669f4c1a · 2024-12-13T11:10:14.000+01:00
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/InsecureDownloadCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/InsecureDownloadCustomizations.qll
@@ -10,14 +10,52 @@ import javascript
  * Classes and predicates for reasoning about download of sensitive file through insecure connection vulnerabilities.
  */
 module InsecureDownload {
+  private newtype TFlowState =
+    TSensitiveInsecureUrl() or
+    TInsecureUrl()
+
+  /** A flow state to associate with a tracked value. */
+  class FlowState extends TFlowState {
+    /** Gets a string representation fo this flow state */
+    string toString() {
+      this = TSensitiveInsecureUrl() and result = "sensitive-insecure-url"
+      or
+      this = TInsecureUrl() and result = "insecure-url"
+    }
+
+    deprecated DataFlow::FlowLabel toFlowLabel() {
+      this = TSensitiveInsecureUrl() and result instanceof Label::SensitiveInsecureUrl
+      or
+      this = TInsecureUrl() and result instanceof Label::InsecureUrl
+    }
+  }
+
+  /** Predicates for working with flow states. */
+  module FlowState {
+    deprecated FlowState fromFlowLabel(DataFlow::FlowLabel label) { result.toFlowLabel() = label }
+
+    /**
+     * A file URL that is both sensitive and downloaded over an insecure connection.
+     */
+    FlowState sensitiveInsecureUrl() { result = TSensitiveInsecureUrl() }
+
+    /**
+     * A URL that is downloaded over an insecure connection.
+     */
+    FlowState insecureUrl() { result = TInsecureUrl() }
+  }
+
   /**
    * A data flow source for download of sensitive file through insecure connection.
    */
   abstract class Source extends DataFlow::Node {
     /**
-     * Gets a flow-label for this source.
+     * Gets a flow state for this source.
      */
-    abstract DataFlow::FlowLabel getALabel();
+    FlowState getAFlowState() { result = FlowState::insecureUrl() }
+
+    /** DEPRECATED. Use `getAFlowState()` instead. */
+    deprecated DataFlow::FlowLabel getALabel() { result = this.getAFlowState().toFlowLabel() }
   }
 
   /**
@@ -30,9 +68,14 @@ module InsecureDownload {
     abstract DataFlow::Node getDownloadCall();
 
     /**
-     * Gets a flow-label where this sink is vulnerable.
+     * Gets a flow state where this sink is vulnerable.
      */
-    abstract DataFlow::FlowLabel getALabel();
+    FlowState getAFlowState() {
+      result = [FlowState::insecureUrl(), FlowState::sensitiveInsecureUrl()]
+    }
+
+    /** DEPRECATED. Use `getAFlowState()` instead. */
+    deprecated DataFlow::FlowLabel getALabel() { result = this.getAFlowState().toFlowLabel() }
   }
 
   /**
@@ -71,11 +114,11 @@ module InsecureDownload {
       str.regexpMatch("http://.*|ftp://.*")
     }
 
-    override DataFlow::FlowLabel getALabel() {
-      result instanceof Label::InsecureUrl
+    override FlowState getAFlowState() {
+      result = FlowState::insecureUrl()
       or
       hasUnsafeExtension(str) and
-      result instanceof Label::SensitiveInsecureUrl
+      result = FlowState::sensitiveInsecureUrl()
     }
   }
 
@@ -113,11 +156,11 @@ module InsecureDownload {
 
     override DataFlow::Node getDownloadCall() { result = request }
 
-    override DataFlow::FlowLabel getALabel() {
-      result instanceof Label::SensitiveInsecureUrl
+    override FlowState getAFlowState() {
+      result = FlowState::sensitiveInsecureUrl()
       or
       hasUnsafeExtension(request.getASavePath().getStringValue()) and
-      result instanceof Label::InsecureUrl
+      result = FlowState::insecureUrl()
     }
   }
 
@@ -145,7 +188,7 @@ module InsecureDownload {
       )
     }
 
-    override DataFlow::FlowLabel getALabel() { result instanceof Label::InsecureUrl }
+    override FlowState getAFlowState() { result = FlowState::insecureUrl() }
 
     override DataFlow::Node getDownloadCall() { result = request }
   }
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/InsecureDownloadQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/InsecureDownloadQuery.qll
@@ -8,20 +8,19 @@
 
 import javascript
 import InsecureDownloadCustomizations::InsecureDownload
+private import InsecureDownloadCustomizations::InsecureDownload as InsecureDownload
 
 /**
  * A taint tracking configuration for download of sensitive file through insecure connection.
  */
 module InsecureDownloadConfig implements DataFlow::StateConfigSig {
-  class FlowState = DataFlow::FlowLabel;
+  class FlowState = InsecureDownload::FlowState;
 
-  predicate isSource(DataFlow::Node source, DataFlow::FlowLabel label) {
-    source.(Source).getALabel() = label
+  predicate isSource(DataFlow::Node source, FlowState state) {
+    source.(Source).getAFlowState() = state
   }
 
-  predicate isSink(DataFlow::Node sink, DataFlow::FlowLabel label) {
-    sink.(Sink).getALabel() = label
-  }
+  predicate isSink(DataFlow::Node sink, FlowState state) { sink.(Sink).getAFlowState() = state }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
 }
@@ -38,11 +37,11 @@ deprecated class Configuration extends DataFlow::Configuration {
   Configuration() { this = "InsecureDownload" }
 
   override predicate isSource(DataFlow::Node source, DataFlow::FlowLabel label) {
-    InsecureDownloadConfig::isSource(source, label)
+    InsecureDownloadConfig::isSource(source, FlowState::fromFlowLabel(label))
   }
 
   override predicate isSink(DataFlow::Node sink, DataFlow::FlowLabel label) {
-    InsecureDownloadConfig::isSink(sink, label)
+    InsecureDownloadConfig::isSink(sink, FlowState::fromFlowLabel(label))
   }
 
   override predicate isBarrier(DataFlow::Node node) {
